When it comes to cybersecurity, companies must not underestimate the importance of basic controls. Employees and employers are exposed in the pandemic-induced work from home environment to new cyber risks, raising the stakes for cyber best practices and education.
Cyber criminals typically follow a playbook where they seek out the lowest hanging fruit. They’re attacking organizations without the most basic controls, such as those with insecure remote desktop protocol (RDP) and those that lack multi-factor authentication (MFA) for remote access or administrative access into corporate networks.
“They’re not breaking into Fort Knox; oftentimes, the threat actors are walking through an open door,” said John Menefee (pictured), cyber product manager at Travelers. “Organizations that lack the most basic of controls are the most likely to experience a claim.”
MFA is a defensive measure that businesses should incorporate into their cyber risk mitigation because it can help block automated bots and bulk phishing attacks. It is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN.
“MFA is one of the most basic cybersecurity controls, but it can be enough of a hurdle to put a threat actor off,” Menefee told Insurance Business. “A lot of the claims that we see are email compromise events – when a threat actor gains access to an employee’s username and password and uses that to access their web-based email account. Something as simple as requiring MFA to gain access to that email account, even if it’s just a text message to a cell phone (which is probably one of the least secure versions of MFA) is probably enough to deter most email compromises that we see.”
There are ways for threat actors to bypass MFA, including SIM card swapping and installing transparent proxies that can intercept MFA tokens. The more sophisticated hackers are using these tactics to take down organizations with good cybersecurity controls, but, as Menefee pointed out, they tend to be the exception rather than the rule.
“It’s the organizations without any form of MFA that are the most vulnerable; they’re the companies we’re seeing be impacted by these types of breaches over and over again,” he stressed. “There are different ways to implement MFA – some more secure than others – but companies just need to get MFA of any kind. It’s often a setting within the platform itself, turn it on, and the vast majority of email compromise events could be prevented with that simple control.”
A second key play in the cyber threat actor playbook is to target companies with RDP, a tool for connecting remotely to a user’s desktop. In recent years, RDP has become one of the most popular attack tools for cyber criminals to access enterprise data and install tools including cryptominers, keyloggers, backdoors, and other malware.
“One of the problems with having RDP open is that it makes the organization visible to threat actors,” Menefee explained. “It’s like a shining light in the darkness. There are so many organizations out there, but when you have RDP visible to the internet, you’re automatically in a threat actor’s crosshairs and you’re automatically vulnerable because there are only a finite number of organizations that use RDP. Having it open, you’re setting yourself up to be targeted.
“Once you’re targeted, it’s as simple as the threat actor finding the right credentials to gain access, and then if there are no MFA requirements, they can get right in. How do you protect against that? Say no to RDP. Find another more secure way for your employees to remotely gain access to the corporate network. Use a VPN and require that any employee with remote access capability to the network must gain access through MFA. Any vendor that you use, any service provider, anyone that helps manage your network - make it a requirement that they have to gain access using MFA to your network.”
While cybersecurity controls like MFA and having a secure RPD might sound basic, there are still many organizations – including large companies with more sophisticated risk management practices – that lack these controls, leaving plenty of low hanging fruit for threat actors to pick and exploit.